CVE-2026-4594

Name of the Vulnerable Software and Affected Versions erupts versions through 1.13.3

Description A flaw exists in the geneEruptHqlOrderBy function located in the file erupt-data/erupt-jpa/src/main/java/xyz/erupt/jpa/dao/EruptJpaUtils.java. Manipulation of the sort.field argument can lead to a SQL injection vulnerability within Hibernate. This issue is remotely exploitable. The exploit has been publicly disclosed. The vendor was notified but did not respond.

Recommendations Versions prior to 1.13.3 should be updated. As a temporary workaround, consider restricting or disabling the use of the geneEruptHqlOrderBy function until a patch is available. Avoid using the sort.field parameter in the affected API endpoint until the issue is resolved.